Appl.No.: 10/720,329 

Amdt. Dated August 7, 2009 

Response to Office Action of June 1, 2009 

Amendments to the Claims : 

This following listing of claims will replace all prior versions and listings of claims in the 
application. 

1. (currently amended) A method facilitating classification of data flows, comprising 

monitoring, [[at]] by. a network device, a data flow associated with a host relative to at 
least one behavioral attribute; 

comparing the at least one behavioral attribute observed in the monitoring step to a 
knowledge base of at least one known application behavior pattern, wherein the at least one 
known application behavior pattern corresponds to a network application classification and 
comprises one or more behavioral attribute parameter values indicating a pattern of expected 
packet sizes for one or more packets of a data flow corresponding to the network application 
classification; and 

classifying the data flow into the network application classification by matching packet 
sizes of packets of the data flow to the pattern of expected packet sizes. 

2. (canceled) 

3. (previously amended) The method of claim 1 wherein the pattern of expected packet sizes 
includes a packet size of the first packet in the data flow corresponding to the network 
application classification. 

4. (previously amended) The method of claim 1 wherein the pattern of expected packet sizes 
includes a packet size of the second packet in the data flow corresponding to the network 
application classification. 

5. (previously amended) The method of claim 1 wherein the pattern of expected packet sizes 
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includes packet sizes for a plurality of packets in the data flow corresponding to the network 
application classification. 

6. (currently amended) A method facilitating classification of data flows, comprising 

monitoring, [[at]] by a network device, a data flow associated with a host relative to at 
least one behavioral attribute; 

comparing the at least one behavioral attribute observed in the monitoring step to a 
knowledge base of at least one known application behavior pattern, wherein the at least one 
known application behavior pattern corresponds to a network application classification and 
comprises one or more behavioral attribute parameter values indicating a pattern of expected 
information density associated with at least one packet in the data flow corresponding to the 
network application classification, wherein the information density corresponds to a level of 
randomness of data of the at least one packet; and 

classifying the data flow into the network application classification by matching 
information density of packets of the data flow to the pattern of expected information density. 

7. (previously amended) The method of claim 6 wherein the pattern of expected information 
density comprises the information density associated with the first packet in the data flow. 

8. (previously amended) The method of claim 1 wherein at least one behavioral attribute 
parameter value of the one or more behavioral attribute parameter values indicates the timing of 
the data flow relative to at least one similar data flow associated with the host. 

9. (previously amended) The method of claim 1 wherein at least one behavioral attribute 
parameter value of the one or more behavioral attribute parameter values indicates the number of 
related data flows associated with the host. 

10. (previously amended) The method of claim 1 wherein at least one behavioral attribute 
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parameter value of the one or more behavioral attribute parameter values indicates the timing 
between at least two packets in the data flow. 

1 1 . (previously amended) The method of claim 1 wherein at least one behavioral attribute 
parameter values of the one or more behavioral attribute parameter values indicates a sequence 
of protocol flags contained in packets of the data flow. 

12. (previously amended) The method of claim 1 wherein at least one behavioral attribute 
parameter values of the one or more behavioral attribute parameter values indicates a timing of 
protocol flags contained in packets of the data flow. 

13. (previously amended) The method of claim 1 wherein at least one behavioral attribute 
parameter values of the one or more behavioral attribute parameter values indicates a timing and 
sequence protocol flags contained in packets of the data flow. 

14. (original) The method of claim 1 wherein the application behavior pattern comprises at least 
one instance of any one of the following: a packet size pattern, a threshold information density 
value, a threshold inter- flow timing value, or a threshold number of related application data 
flows. 

15. (original) The method of claim 1 wherein the application behavior pattern characterizes the 
first group of packets of a data flow associated with a traffic class. 

16. (original) The method of claim 14 wherein the application behavior pattern characterizes 
the first group of packets of a data flow associated with a traffic class, and wherein the first 
group of packets are characterized in relation to at least one instance of any one of the following: 
a packet size pattern, a threshold information density value, a threshold inter-flow timing value, 
or a threshold number of related application data flows. 
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17. (previously amended) A method facilitating classification of data flows, comprising 

modeling behavior of a network application to generate an application behavior pattern 
corresponding to the network application; and 

configuring a network traffic monitoring device to monitor data flows relative to at least 
one behavioral attribute and classify the data flows into a traffic class of a plurality of traffic 
classes by comparing one or more of the data flows against the application behavior pattern; 
wherein the application behavior pattern comprises at least one instance of any one of the 
following: a pattern of expected packet sizes for one or more packets of a data flow 
corresponding to the network application, a pattern of expected threshold information density 
values for one or more packets of a data flow corresponding to the network application, a 
threshold inter-flow timing value between data flows corresponding to a host, or a threshold 
number of related application data flows corresponding to a host. 

18. (previously amended) The method of claim 17 wherein the application behavior pattern 
further comprises at least one instance of any one of the following: an inter-packet timing value 
between a plurality of packets of a data flow corresponding to the network application, a 
sequence of protocol flags in a plurality of packets of a data flow corresponding to the network 
application, an inter-packet protocol flag timing value corresponding to a plurality of packets of 
a data flow corresponding to the network application. 

19. (previously amended) The method of claim 18 wherein the protocol flags are Transport 
Control Protocol (TCP) protocol flags. 

20. (currently amended) A method facilitating classification of data flows, comprising 

monitoring, [[at]] by a network device, the data flows associated with a host relative to at 
least one application behavior model corresponding to a traffic class; 

matching, [[at]] by the network device, at least one of the data flows associated with the 
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host to a traffic class, if a threshold number of the data flows match a corresponding application 
behavior model; wherein the application behavior model comprises at least one instance of any 
one of the following: a pattern of expected packet sizes for one or more packets of a data flow 
corresponding to the network application, a pattern of expected threshold information density 
values for one or more packets of a data flow corresponding to the network application, a 
threshold inter-flow timing value between data flows corresponding to a host, a threshold 
number of related application data flows corresponding to a host, an inter-packet timing value 
between a plurality of packets of a data flow corresponding to the network application, a 
sequence of protocol flags in a plurality of packets of a data flow corresponding to the network 
application, an inter-packet protocol flag timing value corresponding to a plurality of packets of 
a data flow corresponding to the network application. 

21. (previously amended) An apparatus comprising 
a packet processor operative to 

detect data flows in network traffic traversing a communications path, the data 
flows each comprising at least one packet; 

parse at least one packet associated with a data flow into a flow specification, 
a traffic classification engine operative to 

match the data flow to a plurality of traffic classes, wherein at least one of the 
plurality of traffic classes is defined by one or more matching attributes, wherein said matching 
attributes are explicitly presented in the packets associated with the data flows, and wherein at 
least one other of the traffic classes is defined by one or more application behavior patterns, 
wherein the application behavior patterns each comprise at least one instance of any one of the 
following: a pattern of expected packet sizes for one or more packets of a data flow 
corresponding to a traffic class, a pattern of expected threshold information density values for 
one or more packets of a data flow corresponding to a traffic class, a threshold inter-flow timing 
value between data flows corresponding to a host, a threshold number of related application data 
flows corresponding to a host, an inter-packet timing value between a plurality of packets of a 

PAL01:103032.1 

Page 6 of 12 



Appl.No.: 10/720,329 

Amdt. Dated August 7, 2009 

Response to Office Action of June 1, 2009 

data flow, a sequence of protocol flags in a plurality of packets of a data flow, or an inter-packet 
protocol flag timing value between a plurality of packets of a data flow; 

having found a matching traffic class in the matching step, associate the flow 
specification corresponding to the data flow with a traffic class from the plurality of traffic 
classes. 

22. (canceled) 

23. (previously amended) The apparatus of claim 21 wherein said flow specification contains at 
least one instance of any one of the following: a protocol family designation, a direction of 
packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a 
multipurpose internet mail extensions (MIME) type, and a pointer to an application-specific 
attribute. 

24. (previously amended) The apparatus of claim 21 wherein said flow specification contains, 
and wherein the one or more matching attributes include, at least one instance of any one of the 
following: a protocol family designation, a direction of packet flow designation, a protocol type 
designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions 
(MIME) type, and a pointer to an application-specific attribute. 

25. (original) The apparatus of claim 2 1 further comprising 

a flow control module operative to apply bandwidth utilization controls to the data flows 
based on the traffic class associated with the data flows. 

26. (currently amended) A method facilitating classification of data flows, comprising 

detecting, [[at]] by a network device, a data flow in network traffic traversing a 
communications path, the data flow flows each comprising at least one packet; 

parsing , by the network device, explicit attributes of at least one packet associated with 
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the data flow into a flow specification, 

matching , by the network device, the flow specification to a first plurality of traffic 
classes, wherein the first plurality of traffic classes are each defined by one or more matching 
attributes, 

having found a matching traffic class in the matching step, associating , by the network 
device, the flow specification corresponding to the data flow with a traffic class from the first 
plurality of traffic classes, 

not having found a matching traffic class in the first plurality of traffic classes, matching i 
by the network device, the data flow to at least one additional traffic class, the additional traffic 
class defined by an application behavior pattern, the application behavior pattern comprising 
comprises at least one instance of: a pattern of expected packet sizes for one or more packets of a 
data flow, a pattern of expected threshold information density values for one or more packets of 
a data flow, a threshold inter-flow timing value between data flows corresponding to a host, or a 
threshold number of related application data flows corresponding to a host. 

27. (previously amended) The method of claim 26 wherein the flow specification contains at 
least one instance of any one of the following: a protocol family designation, a direction of 
packet flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a 
multipurpose internet mail extensions (MIME) type, and a pointer to an application-specific 
attribute. 

28. (previously amended) The method of claim 26 wherein said flow specification contains, and 
wherein the one or more matching attributes include, at least one instance of any one of the 
following: a protocol family designation, a direction of packet flow designation, a protocol type 
designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions 
(MIME) type, and a pointer to an application-specific attribute. 

29. (currently amended) A method facilitating the classification of network traffic, comprising 
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detecting, [[at]] by a network device, a data flow in network traffic traversing a 
communications path, the data flow comprising at least one packet; 

classifying , by the network device, the data flow into a network application of a plurality 
of network applications by 

applying a mathematical function to at least one packet in the data flow to derive 
a computed value that characterizes entropy of information contained in the at least one packet, 
wherein the entropy information corresponds to a level of randomness of data of the at least one 
packet; and 

comparing the computed value to at least one traffic class corresponding to the 
network application, said traffic class defined, at least in part, by a required computed entropy 
value. 

30. (original) The method of claim 29 wherein the required computed value is determined by 
applying the mathematical function to data flows known to be of the traffic class. 

3 1 . (original) The method of claim 29 wherein the mathematical function computes a value 
indicating the information density of at least one packet. 

32. (original) The method of claim 29 wherein the required computed value is a range of 
values. 

33. (currently amended) A method facilitating the classification of network traffic, comprising 

detecting, [[at]] by a network device, a data flow in network traffic traversing a 
communications path, the data flow comprising at least one packet containing a first checksum; 

applying , by the network device, a mathematical function to at least one packet in the 
data flow to derive a second checksum; 

comparin g, by the network device, the computed second checksum to the first checksum 
contained in the at least one packet; 
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matching , by the network device, the data flow to a traffic class, wherein the traffic class 
is defined at least in part by whether the computed second checksum should match the first 
checksum in the at least one packet. 
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